Hackers Exploit WordPress Zero-Days in the Wild to Take Over Vulnerable Sites

Cybercriminals have exploited zero-days in the wild that affect three WordPress plugins, Wordfence, a WordPress security firm, said in an advisory published today. The security alert pushed a warning against these plugins that have now been fixed by their developers. The affected plugins include:

Appointments by WPMU Dev (fixed in version 2.2.2)

Flickr Gallery by Dan Coulter (fixed in version 1.5.3)

RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in version 3.7.9.3)

Wordfence said that while the PHP object injection vulnerability is extremely easy to exploit, none of these three plugins are actually popular, having a combined installation number of 21,000.

The security firm added that it detected the zero-day as part of its regular “site cleaning service.” The company investigated the hacked sites and was able to uncover the exploit after looking at the past evidence. Researchers said that the exploit included creation of a malicious file on targeted websites, but the logs would only show a POST request to /wp-admin/admin-ajax.php, making it look as if the file appeared out of nowhere.

The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created. But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities.

The security issue has been rated critical, getting a score of 9.8 out of 10 on the severity scale. The vulnerability could enable hackers to install backdoors on vulnerable sites as the exploit allowed “attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice” without requiring any authentication or privilege escalation.

“For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL,” the security firm wrote. “For the other two plugins, the request would go to admin-ajax.php.”

All three plugins have now been patched up to fix the PHP object injection vulnerability that was exploited by hackers in the wild. Website owners who are using any of these three plugins are strongly advised to upgrade to the latest versions as, according to the security researchers, the attacker can “completely take over the vulnerable site.”